I’ve been reading some claims recently that audits are decreasing, and while I understand where these are coming from, I think what we are seeing in the market contradicts this somewhat.
Basing an estimate of audit volumes based on Gartner audit inquiries potentially misses a big segment of the market as it is focused on the Tier One vendors. I would agree with Gartner that Microsoft and Adobe audits are down, but given that Adobe have effectively shuttered their European and US compliance programs, I’m actually surprised that there hasn’t been a bigger drop there.
Other Tier One vendors like IBM seem to have about the same audit level as we have seen historically.
However, the big growth area for audits has been in the Tier Two and even Tier Three software publishers, including:
- Quest continues to expand their audit program and is taking a more aggressive approach than Dell ever did
- In addition to expanding the number of audits it conducts, MicroFocus also expanding the product focus across their portfolio of legacy brands.
- Ivanti and Citrix both now have structured audit programs.
- Other software publishers we are seeing increased audit activity from include OpenText, Software AG, Tibco, StoneBranch, JD, BMC and Corel
The most common challenge with these vendors when we start working with our customers is that they just aren’t on the radar from a SAM or compliance standpoint. Some of the investments are ancient in IT terms and the spend may have spread out over many years so that no single investment was big enough to warrant C-level attention (although the aggregated total spend can be huge).
Worse, because of the legacy nature of the apps, the chances are that few staff remain in the business that really understand how they were bought, what the terms were and even why they are critical to the organization.
Our experience is that the contracts and licensing for these legacy apps can be very restrictive, far too tight for how many organization’s technology consumption has evolved in recent years (think virtualization, cloud and geographic diversity). A lot of legacy application licensing structures were either not designed for – or even expressly forbid – virtualization, for example. This can present a real compliance and cost risk to an organization that long ago forgot how application x was acquired and licenses.
All of this leads to potentially high risks that just aren’t being managed and can create a particularly nasty shock when an audit demand drops into the CIO’s mailbox. And unlike the Tier One vendors who still have new products and licensing schemes that they want to sell you, some of the legacy Tier Two and Tier Three vendors aren’t actively investing in new products and exist primarily to leverage the maximum possible revenue from the installed customer base.
This means that their audit practices can be much more aggressive than the Tier One vendors. We’ve seen settlement proposals from the smaller vendors where the license part only accounts for 25% of the overall claim, the rest being back interest and maintenance going back many years.
In short, Gartner might be right in that Tier One software publisher audit activity is down. But we are definitely seeing an increase in audit activity from the Tier Two and Tier Three vendors which can be even more expensive and difficult to address.
Make no mistake, compliance is not a challenge that has gone away, it’s just moved from one set of vendors to another.